ECDSA signature verification fails on 521 bit key.

Status: Alpha

Brought to you by: ymnk

#90 ECDSA signature verification fails on 521 bit key.

Milestone: v1.0 (example)

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2015-10-25

Created: 2015-09-09

Creator: Mark Fisher

Private: No

Smaller keys are working ok, but for ECDSA key created with -b 521 with ssh-keygen, trying to use it to connect to the sshd is giving (sshd -d)

ssh_ecdsa_verify: signature incorrect

It looks like there was a similar issue in Mina SSHD.

I've compared the implementation in com.jcraft.jsch.jce.SignatureECDSA with the original version this patch applies to, and they are very similar. I'm guessing the same fix needs to be applied:
https://bitbucket.org/atlassian/mina-sshd/pull-requests/3/stashdev-9665-fix-for-incorrect-validation/diff

Additional information is in https://issues.apache.org/jira/browse/SSHD-491 and https://issues.apache.org/jira/browse/SSHD-492

Note however, that this was never accepted upstream as the author implemented it differently, see:
https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=commitdiff;h=4b86f63774416cc86273c9b2c6b38d145ad55f3c

Discussion

- 2015-10-25

Just run into this as well with JSch 0.15.3 and a ecdsa-sha2-nistp521 key

ssh_ecdsa_verify: signature incorrect

followed by:

Failed public key for ...

and finally, since i don't provide any other auth methods on this box:

Recieved disconnect from ... 3: com.jcraft.jsch.JSchException: Auth fail [preauth]

256 and 384 keys work

Any ETA?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.